HP pays up to $ 10,000 for printer bugs, hackers are given remote access
Replenishment in the list of reward programs for found vulnerabilities (bug bounty). White hackers, researchers can now claim up to $ 10,000 if they find vulnerabilities in HP printers. The company announced the launch of the program on August 31 - and became the first printer manufacturer in the world to pay for bugs.
Vulnerabilities in printers and other peripherals are often targeted by hackers. If a home printer is practically useless for this purpose, then in a corporate environment such a device is usually connected to a local network and can be used as an entry point, especially if system administrators do not monitor timely firmware updates. According to 2018 State of Bug Bounty Reportfrom Bugcrowd, over the past 12 months (from April 1, 2017 to March 31, 2018), the number of found bugs increased by 21% compared with the previous year.
HP's vulnerability payout program launched on the Bugcrowd platform , one of several platforms where hackers can choose targets to attack, earn a rating and receive a reward that is many times higher than the salaries of developers who work for hire. The biggest reward in the history of Bugcrowd was recently paid by Samsung - $ 114,000 . However, at the largest hacker site on the Internet, HackerOne pays even more: even some small companies offer rewards of up to $ 200,000 - as much as Apple gives for exploits for iPhone, which cost up to $ 1.5 million on the black market . Finding vulnerabilities has become a profitable business.
In the commentA ZDNet spokesman for HP said: “We are challenging researchers to search for unknown defects that can be used against our customers. We provide researchers with remote access to a set of corporate multifunction printers and invite researchers to focus on potential malicious actions at the embedded software level, including CSRF, RCE and XSS. ”
A spokesman for HP added that rewards would be paid even if the identified vulnerability had already been previously discovered by the company's specialists, but the information is not yet publicly available. Researchers are offered to focus on vulnerabilities in printer firmware (firmware).
HP printing security director Shivaun Albright (Shivaun Albright) said: “For many years, cybersecurity discussion has focused on software and networks. Today, attackers are also targeting end devices. Connected devices such as printers on the edge of the network have become paramount. ”
HP runs the program in "private" mode ( private program ). Most companies on the Bugcrowd platform prefer to work in this order, when hackers are asked not to break public services and devices, but to work in a controlled environment. In particular, over the past year, 79% of all new programs were private.
In general, the community of white hackers, researchers who are looking for bugs and earn it, is constantly growing. On Bugcrowd, the community has grown by 71% over the past year and now represents hackers from 113 countries. Russian hackers are among the leaders in the number of found bugs.
In total, more than 87,700 researchers have been registered, of whom almost 4,000 confirmed their identity, and about 7,000 reported at least one unique vulnerability. Basically, the audience of these sites is young, at the same Bugcrowd about 71% of users aged 18-29 years.
The average payout for the found vulnerability is $ 781, and the first place in terms of payouts is occupied by Cross-Site Scripting (XSS) Stored vulnerabilities. At the same time, in terms of the number of reports, Cross-Site Scripting (XSS) Reflected vulnerabilities rank first, but they belong to the third hazard class (P3), and for such bugs, payment is not always provided. But a hacker can put it in his asset, indicate in his profile and raise his reputation / rating, which is also interesting.
The total amount of payments on Bugcrowd for the last year exceeded $ 6 million. More than 81% of this money was paid for hacking sites. With a large margin followed by bugs in hardware, gadgets (6.7%), API (5.8%), Android (3.1%), Internet of Things devices (2.5%) and iOS (0.7%) .